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(Si) Method and apparatus for accessing touch screen desktop objects via fingerprint recognition. 



(g) A method of manipulating and obtaining ao- 
cess to graphical desktop objects is disclosed. 
Touch-sensitive fields are provided on a com- 
puter display for user selection. Upon selecting 
one of the fields wfth a fingertip, a fingerprint 
therefrom is analyzed and compared to a list of 
authorized fingerprints. Once the fingerprint 
passes inspection, the user is granted access to 
the underlying program. 
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This invention relates in general to graphical user 
interfaces, and in particular to the use of fingerprint 
recognition with touch screens to manipulate graphi- 
cal desktop objects and to access the underlying 
data. « 

Modern computer systems are becoming more 
ussr-friendly through the use of graphical user inter- 
faces. Such interfaces provide a more intuitive meth- 
od for an operator to use the programs thereon. For 
example, an operator may invoke a program by the 10 
selection of a graphical object or icon rather than by 
typing in a program command. Thus, the operator 
does not need to remember program commands 
which are frequently non-intuitive and are generally 
considered unfriendly. 1 5 

As computers are more and more widely accept- 
ed, more information, including sensitive or classified 
information, is placed on computers. As is well known, 
there are many people who pride themselves in the 
ability to "break" into computer systems to access 20 
data There are many different ways to attempt to pre- 
vent unauthorized personnel from obtaining data on 
a computer. Passwords are commonly used for such 
a purpose. For example, an operator is required to 
type in a predetermined code word or sequence of 25 
keystrokes before access is granted. If the password 
is approved, the operator is then allowed to obtain the 
dtita and/or run programs as desired. Unfortunately, 
a» noted above, there are many personnel who pride 
themselves in being able to break code words or 30 
piisswords and obtain unauthorized entry into com- 
puter systems. 

In addition to the use of passwords, other entry 
authorization techniques include the use of identifica- 
tion cards (US Patent No. 4,590,509, July 8, 1 986, to 36 
S Overman, et al.) and encryption devices (US Patent 
No. 4,691,355, September 1, 1987, to Wirstrom, et 
at). 

Whenever a plurality of personnel have access to 
a single input device, there is a possibility that unau- 40 
thorized access may be allowed. For example, an op- 
erator will typically initialize the terminal at the begin- 
ning of the day and sign on with the appropriate pass- 
word. Thus, access will be granted to any programs 
to which that operator is allowed by anyone who 45 
would use that terminal. If the operator is absent from 
the terminal, any person authorized or unauthorized 
would be able to obtain data therefrom. Thus, there 
Ut a need for a method and apparatus which will allow 
a computer system to grant access to individual 50 
flies/programs on an as-authorized basis only. 

Further in the desire to create a more user- 
friendly system, touch screen technology enables di- 
rect object selection by a user's fingers contacting a 
touch screen surface directly over a graphical object 55 
In addition, there are known devices which can com- 
pare a live fingerprint against a referenced print 
Thus, while there are fingerprint recognition devices, 



t here is no presently known method and apparatus al- 
lowing access to computer systems and individual 
programs thereon by fingerprint recognition on touch 
screens. 

The present invention provides a method and ap- 
paratus for obtaining access to a computer system 
which eliminates or substantially reduces the prob- 
lems of the prior art The present invention allows a 
computer system, with multiple operators through 
single input devices, to grant access to individual 
f les/programs on an as-authorized basis only. 

In accordance with one aspect of the present in- 
vention, a method of obtaining access to a computer 
system is provided. A recognition device is linked to 
the system. Access to the system is then based upon 
an acceptable response provided by a user to the rec- 
ognition device. 

In one embodiment, the recognition device com- 
prises a fingerprint recognition device. By touching a 
screen directly over a graphical object, a user may be 
granted access to the program identified thereby only 
if there Is a match with a file of authorized prints. If 
no match occurs, access to that program Is denied. 
Thus, multiple users of a single terminal can obtain in- 
formation only from programs to which they are au- 
thorized access. 

It is a technical advantage of the present inven- 
tion in that multiple users of a single terminal wfll be 
allowed to access only the data they are authorized. 
It is a further technical advantage of the present in- 
vention that access can be granted to multiple levels 
of information, if authorized, without the need for mul- 
tiple passwords. 

For a more complete understanding of the pres- 
ent invention and the advantages thereof, reference 
is now made to the Detailed Description taken in con- 
junction with the attached Drawings, in which: 

Figure 1 is a graphical representation of a data 
processing system in accordance with the pres- 
ent invention; 

Figure 2 ilustrates a password entry to gain ac- 
cess to a computer system in accordance with 
the prior art; 

Figure 3 illustrates an embodiment of the present 
invention; 

Figure 4 is a diagram illustrating the interrelation- 
ship of the various components used in conjunc- 
tion with the present invention; and 
Figure 5 is a flowchart of the present invention. 
Referring first to Figure 1, there is depicted a 
graphical representation of a data processing system 
8 which may be utilized to implement the present in- 
vention. As may be seen, data processing system 8 
may include a plurality of networks, such as Local 
Area Networks (LAN) 10 and 32, each of which pre- 
ferably includes a plurality of individual computers 12 
and 30, respectively. Of course, those skilled in the 
art wil appreciate that a plurality of Intelligent Work- 
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stations (IWS) coupled to a host processor may be 
utilized for each such network. As is common in such 
data processing systems, each individual computer 
may be coupled to a storage device 14 and/or a prin- 
ter/output device 16. 

The data processing system B may also include 
multiple mainframe computers, such as mainframe 
cunputer 18, which may be preferably coupled to LAN 
10 by means of communications link 22. The main- 
fnime computer 18 may also be coupled to a storage 
dovice 20 which may serve as remote storage for LAN 
10. Simiarty, LAN 10 may be coupled via communi- 
cations link 24 through a subsystem control 
unit/communications controller 26 and communica- 
tions link 34 to a gateway server 2a Gateway server 
23 is preferably an individual computer or IWS which 
surves to link LAN 32 to LAN 10. 

With respect to LAN 32 and LAN 10, a plurality of 
documents or resource objects may be stored within 
storage device 20 and controlled by mainframe com- 
puter 18, as resource manager or library service tor 
the resource objects thus stored. Of course, those 
skilled in the art will appreciate that mainframe com- 
puter 18 may be located a great geographic distance 
from LAN 10 and simiarly, LAN 10 may be located a 
substantial distance from LAN 32. For example, LAN 
32 may be located in California while LAN 10 may be 
located within Texas and mainframe computer 1 8 may 
be located in New York. 

Referring next to Figure 2, a monitor 40 and key- 
board 42 such as found with individual computers 12 
e nd 30 (see Fig. 1) are illustrated. As shown on screen 
44 of the monitor 40, a required 'Enter Password" as 
indicated by reference numeral 46 is displayed. In or- 
der to gain access to the data accessible through the 
rr>onitor 40, an operator must type, using keyboard 
42, the authorized password in the space provided on 
the screen 44. As used herein, an "operator" is de- 
fined as a person who uses a computer program in- 
stalled on a computer system. The term "user" may be 
used interchangeably herein to mean the same as an 
'operator". Once the proper password Is typed, en- 
tered and accepted, the operator typically has access 
to any information avaiable thereby. Thus, if the op- 
erator leaves the monitor 40 unattended without ap- 
propriately securing same, an unauthorized person 
may obtain access to data therethrough. 

Referring to Figure 3, a monitor 50 and keyboard 
52 such as are used with the individual computers 12 
and 30 (see Fig. 1) are illustrated. In contrastwith the 
prior art, the present invention does not provide ac- 
cess to all data available through the monitor 50 Just 
by entering a single (or even multiple levels) of code 
words. Once the computer system to which the mon- 
itor 50 and 52 has been activated, touch screen fields 
(which may include text or graphics) are presented to 
the operator. For example, a touch screen field 54 Is 
provided for access to confidential files, a touch 



screen field 56 is provided for access to secret f les 
and a touch screen field 58 is provided for access to 
unclassified files. In addition, touch screen fields 60, 
62, 64, 66 and 68 may be provided for access to pro- 
5 grams/data A, B, C, D and E, respectively. In order to 
gain access to any of the data or programs indicated 
by one of the touch screen fields 54, 56, 58, 60, 62, 
64, 66 or 68 an operator must place their fingertip 
thereon. At that point, a fingerprint recognition device 
10 interconnected to the monitor 50 wffl check for autho- 
rized access. If the operator is authorized access to 
that data/program, the data/program will be present- 
ed to the operator. Any single operator may be autho- 
rized access to one or more of the programs/f les pre- 
1 5 sented on the monitor 50. Similarly, all operators in a 
department/group may access data/programs 
through the monitor 50 only if they are authorized for 
the specific information they are attempting to gain 
access to. By using the present invention, the unat- 
20 tended monitor 50 has a reduced likelihood of being 
used to compromise data by personnel not authorized 
access thereto. Also, use of a time delay may keep 
unattended access to a specific program (already 
opened) to a minimum. 
25 Referring to Figure 4, a graphical Blustration of 
the interrelationship of components necessary to utft- 
ize the present invention is illustrated. A multi-point, 
touch-sensitive surface 70 which detects contact at 
given points is provided with the monitor 50 (see Fig. 
30 3). An analog-digital converter 72 to pass data about 
contacts is positioned between the touch-sensitive 
surface 70 and a touch driver 74. From the touch driv- 
er 74, a dual path is taken to an access grantor 76. In 
a first path, a graphical user interface 78 indicates 
36 which icon has been selected, information about the 
selected icon is then passed to an application 80 for 
processing. In a second path, the touch driver 74 
communicates with a fingerprint analyzer 82. A fin- 
gerprint image is communicated to the analyzer 82 in 
40 a form appropriate to distinguish a unique fingerprint, 
as is known in the art Once an operator touches a 
field or an icon, a fingerprint template is compared to 
an associated "per-icon" access table found in the ac- 
cess grantor 76. Upon the templates meeting a spe- 
45 ctfied confidence level, manipulation access is grant- 
ed through an operating system 84 and access meth- 
od 86. The appropriate program/data is then obtained 
from nonvolatile storage 88 which allows the operator 
to proceed. 

so Referring to Figure 5, a flowchart iBustrating the 
present invention is provided. The present invention 
starts at 100 and waits for user interaction at block 
1 02. At decision block 104 it is determined whether or 
not an "End Program" is detected, tf the response to 

55 decision block 104 is yes, the present invention ends 
at 106. If the response to decision block 104 is no, the 
operating system is queried for selected object iden- 
tification at block 108. 
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At decision block 110 tt is then determined wheth- 
er or not the object ID requires fingerprint authentica- 
tion or not if the response to decision block 11 0 is no, 
the program associated with the selected object is irv 
yoked at block 112 which is an unlimited capability fo!- 5 
lowed by a return to block 102 to wait for user inter- 
action. If the response to decision block 110 is yes, an 
image is obtained from the touch driver at block 114. 

At decision block 116 it is determined whether or 
not the image meets the recognition threshold. If the 10 
response to decision block 116 is no, an error mes- 
s;ige is returned to the user at block 118 followed by 
a return to block 1 02. If the response to decision block 
1 16 is yes, it is determined at decision block 120 
whether or not an image match is found wthin the ac- is 
cbss table domain. If the response to decision block 
120 is no, an error message is returned to the user 
at block 118 followed by a return to block 102. If the 
response to decision block 1 20 is yes, it is determined 
at decision block 1 22 whether or not the access table 20 
contains a recognized user and selected object 
match. If the response to decision block 122 is no, an 
error message is returned to the user at block 118 fol- 
lowed by return to block 102. If the response to deci- 
sion block 122 is yes, it is determined at decision 25 
block 124 whether or not the access table contains 
application usage restrictions for this user. If re- 
sponse to decision block 124 is yes, programs asso- 
ciated with the selected object (a limited capabirty) 
are invoked at block 126 followed by a return to block so 
1 02. If the response to decision block 124 is no, the 
program associated with the selected object Is in- 
voked at decision block 112 followed by a return to 
block 102. 

As a result of the present invention, security of a 36 
terminal and the programs accessed thereby is great- 
ly enhanced. To access data available through the 
terminal, a user must be authorized access and must 
in fact be the authorized user as evidenced by a fin- 
gerprint Once a terminal is inflated, a user may leave 40 
I he terminal unattended with reduced fear of unau- 
thorized access to sensitive information. Even if the 
user leaves the terminal with a sensitive program run- 
ning thereon, an unauthorized user would be unable 
to access other data. By including a timer, unattended 45 
access by unauthorized personnel wit be cut even 
further. 



Claims 50 

1. A method of obtaining access to a computer sys- 
tem, comprising the steps of: 
linking a recognition device to the system; and 
allowing access to the system based upon an ao- 55 
ceptaNe response provided by a user to said rec- 
ognition device. 



2. The method of Claim 1, wherein said step of link- 
ing comprises: 

installing a fingerprint recognition device. 

3. The method of Claim 1, further comprising the 
step of. 

locking the system after a predetermined amount 
of time has lapsed without any user interaction. 

4. A method of manipulating data availability on a 
computer system, comprising the steps of: 
selecting a touch screen field displayed on the 
system with a user's fingertip; 

comparing a fingerprint from said fingertip with 
an access table containing representations of fin- 
gerprints authorized access to said field; and 
granting access if said fingerprint matches one of 
said f ingerprints authorized access. 

5. The method of Claim 4, wherein said step of se- 
lecting a field comprises: 

selecting a graphical object. 

6. The method of Claim 4, wherein said step of se- 
lecting a field comprises: 

selecting a textual field. 

7. A device for granting access to a computer sys- 
tem, comprising: 

means for linking a recognition device to the sys- 
tem; and 

means for allowing access to the system based 
upon an acceptable response provided by a user 
to said recognition device. 

8. The device of Claim 7, wherein said means for 
linking comprises: 

a fingerprint recognition device; 
an analog-digital converter, and 
a touch driver. 

S. The device of Claim 7, wherein said means for al- 
lowing access comprises: 
means for indicating a selected data field; and 
means for comparing a user response to an ac- 
ceptable response for said data field. 

10. The device of Claim 9, wherein said means for in- 
dicating a selected data field comprises: 

a graphical user interface; and 
an application 

11. The device of Claim 10, wherein said means for 
comparing comprises: 

a fingerprint analyzer; and 
an access grantor. 
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